Merge pull request from GHSA-585m-rpvv-93qg
Addresses https://github.com/nvaccess/nvda/security/advisories/GHSA-585m-rpvv-93qg
Summary of the issue:
NVDA introduced the report dev info script as a safe script for the lock screen in 2021.3.2 via nvaccess/nvda#13328.
This was under the assumption that the log viewer never shows up on the lock screen.
However, using certain steps, the log viewer can be interacted with on the lock screen.
Further steps allow opening the NVDA python console, allowing arbitrary code execution.
Description of user facing changes
The devInfo script (open the log viewer and report navigator object information) is no longer available on the lock screen.
Description of development approach
Remove devInfo from safe scripts
Review the security of other scripts in safe scripts.
Added additional security protection to ScreenExplorer used by touch interaction, as well as setting the review position with api.setReviewPosition.
Testing strategy:
Test with a self-signed build the STR in https://github.com/nvaccess/nvda/security/advisories/GHSA-585m-rpvv-93qg
